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ABSTRACT 



This invention relates to a novel s maitc ard^Sasedl'au- 
t^^SSoS^chnioue using a smart card that encrypts 
the time displayed on the card with a secret, crypto- 
graphically strong key. The (public) work station re- 
ceives as input certain values defining the user, the card 
and a particular value derived from the encrypted time 
and encrypts and/or transmits these values to the 
server. The server, in turn, computes from received 
values some potential values and compares these to 
other received values. If the server determines a match, 
an accept signal is transmitted to the work station. 

21 Claims, 3 Drawing Sheets 
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. (National Bureau of Standards: "Federal Information 

AUTHENTICATION METHOD AND SYSTEM Processing Standards, Publication 46", 1977). The cryp- 
WITH A SMARTCARD tographic keys derived from such weak secrets can be 

HArKORniTMn m thf rNVPHTrnu « easily broken by brute force attacks ^ 30 exhaustive 
BACKGROUND OF THE INVENTION 5 search in the relatively small key space from which the 

Field of the Invention secret is chosen. 

Broadly speaking, this invention relates to an authori- A P ractic al mechanism for recovering strong crypto- 

zation or authentication method in an environment graphic keys using weak secrets without exposure is 

where persons access a computerized system via remote 10 P rovided Dv smartcards as shown by M. Abadi, M. 

terminals, e.g. in a banking system or in a data base Burrows, C. Kaufman, and B. Lampson, "Authentica- 

system with restricted access. In many cases, personal tion and Delegation with Smartcards", DEC SRC 

identification numbers (PINs) and smartcards, i.e. de- Technical Report 67, October 1990, (hereinafter 

vices containing a limited processing capability, are "Abadi, et al .") and by H. Konigs, "Cryptographic 

used in such computerized applications to help or en- 15 Identification Methods for Smart Cards in the Process 

able authenticating a human user who has to identify of Standardization" IEEE Communications Magazine 

himself/herself to the system. June 1991. 

More particularly, this invention relates to a novel 

smartcard-based authentication technique using a Authentication with Smart Cards 

smartcard that encrypts a running value, e.g. the time, 2Q A smartcard=is^devic^ with processing capability 

displayed on the card with a secret, cryptographically that^ontaJnsra crypto^apmakey. One purpose is to aid 

strong key. A (public) work station and a server com- user authentication in a hostile environment Unlike the 

pute, transmit and/or encrypt various values to provide weak keys (passwords and PINs) used by human beings, 

a secure channel between the human user and the the sfe^'s kej^ 

server ' 25 totaJ ke y s P ace of the cryptographic algorithm in use. 

Description of Related Art Thc Probability of success with a brute force attack 

tt a *i_ ■ i _ ^ based on exhaustive search in the key space is therefore 

User Authenttcatron and Related Exposures negligible . ^ ^ must ^artcard opera- 

In order to obtain access rights to system resources, a tion by authenticating himself using a weak initial secret 
human user needs to prove his identity or authenticate 30 but this interaction takes place directly between the user 
himself to the entities that permit access control on and the card (via a card's key-pad or a protected card 
protected resources. In a distributed system environ- reader device) without any involvement of untrusted 
ment, the resources are usually remotely located with media. Thereafter, all data exchanged over the un- 
respect to the user; thus, the authentication of the user trusted network is sent under the protection afforded by 
to the access control agent requires the exchange of 35 encryption using the smartcard's strong secret Since 
messages that constitute the user authentication proto- the card is a simple device (not unlike a calculator) it is 
coL The authentication protocol helps the user to prove trusted by the principals involved, 
his identity to the authentication server (AS) by demon- 
strating his knowledge of a secret (e.g. a password or Basic Considerations 
PIN) that is shared with the AS. 40 In this section, the physical characteristics of the 

User authentication protocols suffer from an inherent smart card design will be addressed in general. The 
exposure to masquerading by malicious mtruders. An following futures influence both the cost Ld the seeu- 
mtruder can spoof, intercept and replay the authentica- rity of & smartcard protocols ^ JSSZ 2. 
tion messages. In cases where a secret is sent in clear pw,«,i rw.-^iL *u- •„ ♦u t wT 
text (as in most traditional log-in procedures) simple 45 JJ^J^T^ a . P ^ 
spoofing and replay is sufficient to break the protocol. C °^ 8 ^VtT *° COmmumcat ^ ***** 

More recent protocols, as disclosed e.g. by R. Needham ™* WOrk , ^f 0n mvolvement of ^ 

and M. Schroeder in "Using Encryption for Authenti- * £S of mfonnafcon between the card and the 
cation in Large Networks of Computers", Communica- WOr f U0TL Ms °' ^ a ^ V3mc connection, a card 
tions of the ACM, December 1978, (hereinafter "Need- 50 nee( ! s n0 . power (° atter y) of its own 

ham et al"), use the user's secret as an encryption key w . 8 * atl0n can P rovide Unfortunately, the cost of 
or as a seed from which an encryption key is derived. equipping every work station with a secure card reader 

However, this measure is only partly useful because, every . card a receptor) can be prohibitively 

as described in T. Lomas, L. Gong, J. Saltzer and R. especially in a cost-conscious environment. 

Needham in "Reducing Risks from Poorly Chosen 55 Interaction Complexity: a relevant factor is the vol- 
Kcys", Proceedings of ACM Symposium on Operating of information that a user must exchange with the 

System Principles, 1989, such an encryption key is weak card - A galvanic connection eases the problem since the 
and can be easily broken by wiretappers. This weakness interface between the card and the work station allows 
is due to the lack of randomness in the way human users *° r ^ ast information transfer without human involve- 
choose their secrets and to the human beings' difficulty 60 nient Alternatively, when no galvanic connection ex- 
of remembering perfectly random numbers. In other ists, the user must act as an intermediary between the 
words, the user's secret is chosen out of a space that is card and the work station. To provide increased ease of 
relatively small in comparison with the minimum key use, the goal is to skew the tradeoff towards increased 
space required by a good cryptographic algorithm. functional complexity for minimal interaction complex- 
Typically, the secret is a password chosen from a dictio- 65 ity: In this respect, an ideal protocol with no galvanic 
nary the size of which (on the order of 10 5 ) is by several connection would require the input of one bit on the 
orders of m a gni tude smaller than, for example, the one card (e.g., an on/off button and no key-pad) and the 
(2 56 ) required by the Data Encryption Standard DES reading of a number by the user. 
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Key-pad: a key-pad may be needed to enter into the dedicated to the authentication of the human user and to 

card the user's secret like a password or a PIN. If a card the delegation of his rights to the local programs and 

is not equipped with a galvanic connection, other infor- the subsequent phases to the servei>based authentica- 

mation may need to be entered via a card's key-pad (i.e. tion of the jiser's programs accessing remote programs, 

in this case, the user acts as a conduit between the work 5 The-im^ialph^e;of;tfcp the 

station and the card). smartcard-andran^^hereasffis 

Clock: a clock may be required for generating timeli- ticatton-betw_een^the : ^s^s^^ 
ness indicators and, possibly, nonces as shown in the ones may not require smartcard mteractioTTanduse the 
Needham et a], article. However, a clock requires a credentials delegated during the first phase, 
battery which has to be replaced or recharged periodi- 10 Conversely, the protocols may also vary depending 
cally. In the Abadi et al. article, the authors suggest that on the smartcard's involvement in the authentication 
"having a clock is particularly difficult because it re- process. In one extreme, the smartcard may keep the 
quires a battery". While a battery is indeed required, total control of all the authentication exchanges be- 
having a clock does not have to present difficulties. tween the local and remote programs whereas in the 
Nowadays, many personal electronic gadgets operate 1£ other extreme the smartcard's involvement may be kept 
on dry cell batteries without any significant penalty in at a minimum by its utilization in the authentication of 
cost or performance, Wristwatches, pocket calculators the user and in the delegation of the user's rights to local 
and hearing aides are the most widespread of these. programs only. 

Such devices can either require a change of battery Symmetrical versus Asymmetrical Cryptography: 

every 2-3 years, or be disposable. 20 niany<existmgsmartcard : schemes ernploy^asymmetrical 

Display: a display is imperative when there is no (pubhc key):cryptography. This has the main drawback 

electric coupling between a smartcard and a work sta- that public key encryption remains quite expensive in 

tion. With a galvanic connection, however, a work terms of both implementation and performance. On the 

station's display may be utilized as described in the other hand, smartcard techniques employing conven- 

Abadi et al. article. 25 tional symmetrical encryption suffer from heavy admin- 

Non-volatile Storage: stable, non-volatile read-only istrative burden owing to the need to maintain a per 
storage is needed to store the card's secrets, e.g., a key card record at the AS in addition to user records Con- 
or a nonce generator seed. It may also be needed to taining passwords. 

store public key(s) of the certification authority or the Further to the literature cited above, the following 

AS. Some designs may also require a non-volatile RAM 30 publications are related. 

to store secrets or sequence numbers generated at run- W. Diffie and M. Hellman, "New Directions in Cryp- 

time. The drawback of inamtaining a non-volatile RAM tography", IEEE Transactions on Information Theory, 

is the amount of power needed to refresh the memory November 1976. 

that is relatively high in comparison with the power R. Rivest, "The MD4 Message Digest Algorithm", 

required by a clock. 35 Proceedings of CRYPTO'90, August, 1990. 

Volatile Storage: temporary, volatile storage is neces- R. Rivest, A. Shamir and L. Adleman, "A Method 

sary to store certificates, session keys, etc., for the dura- for Obtaining Digital Signatures and Public Key Cryp- 

tion of an authentication session. It is, of course, desir- tosystems", Communications of the ACM, February 

able to minimize the size of volatile storage. 1978. 

Encryption/Decryption Ability: the complexity of 40 As described above and apparent from the references, 

the encryption algorithm influences the cost and the there are various systems available that use smartcards. 

performance of the card. One possibility is to confine Existing smartcard designs as described e.g. the Abadi 

the card's ability to a secret one-way function only. This et al. article, use a delegation technique whereby the 

simplifies the implementation. card acts on behalf of the user by deploying its strong 

In the following section, the main issues involved 45 cryptographic capability. Nonetheless, before the card 

with the design of smartcard protocols are analyzed. can run any protocol on behalf of the user, the latter has 

Protocol Scenarios t0 ^ thentic f te ^lf *? card. 
^ — — Some early smartcard designs did not involve any 
^A smartcard~jr^otgcol can perform either peer-to- such authentication; mere possession of the "personal- 
peer or-semr^a^.au^eirtica^pn. 50 ized" card identified the user. Other, more recent de- 

In the peer-to-peer case, the protocol achieves the signs require some mteractiolf-between^^ 

authentication of a user to remote entities that control ^smartcard. The main disadvantage of the delegation 

the access to target resources. The smartcard and the scheme is the need for a fixed relationship between the 

user must therefore possess a pair-wise authentication smartcard and the user. The drawback of such a rela- 

capability with respect to every remote program which 55 tionship is twofold. 

the user may need to access. The pair-wise authentica- First, there is a requirement for the card's capability 

tion capability can be implemented by a shared secret to authenticate the user: the smartcard must contain the 

key with conventional cryptography (DES) and by the user's secret in order to authenticate the user. This re- 

privatejcej^ofthe user with a public-key scheme. ^ quirement implies the need to define the user secrets 

In the server-based case,- the rern^ p_rograin^ an'A§)60 (password or PIN) at the time where these secrets are 

that provides the^r!s:local pro^ramsjwith apair-wise stored in the card, e.g. when the card is manufactured 

auj^emkatio^apabmty-which is subseo^entiy^ised-in or when the card's memory is programmed. This re- 

peerrto^eeFauthentication. A more sophisticated serv- duces the user's ability to change his secrets with the 

er-based protocol can be designed to perform a two- ability to update the card's storage, 

stage authentication a la Kerberos, as disclosed by J. 65 Second, there is an administrative burden of maintain- 

Steiner in "The Kerberos Network Authentication Ser- ing the card-user relationship: since the card is acting on 

vice Overview", MIT Project Athena RFC, Draft 1, behalf of the user with respect to external parties, the 

April 1989, whereby the initial phase of the protocol is relationship between the card and the user must be 
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corroborated and protected by the administration so 
that all transactions performed by a card can be ac- 
counted as performed by the associated human user. In 
order to maintain such a relationship the administration 
that delivers cards must assure a safe distribution, up- 
date and revocation of the smartcards. 

The disadvantages of the existing smartcard designs 
that are due to the fixed card-user relationship are over- 
come by the novel technique presented here. The smart- 



' x — I - uovi ai i 

card according to this invention is not personalized. It is 10 numbers 



does not rely on public key cryptography or other so- 
phisticated encryption algorithms that impose signifi- 
cant execution overhead. Further, only a secret one- 
way function is required, e.g. DES encryption. Finally, 
the authentication protocol achieves, if desired, more 
than the traditional user-to-AS authentication. It may 
also provide for a kind of symmetric AS-to-user authen- 
tication which can be obtained at the discretion of the 
user at niinimal cost by a visual comparison of two 



used only as a mechanism to obtain a secure channel 
between the user and the remote authenticating party. 
According to the invention, the smartcard's identity is 
not associated with any user. Consequently, with this 



To summarize, the invention is a method and a system 
for authenticating a user with a smartcard, said system 
including an authentication server and a plurality of 
distributed work stations or terminals connected to the 



_ ^ — — ™ 1- j7 ~— uwuiuuitu auiuuub or terminals connected to tne 

new concept, the registration of the user's secret in the 15 server. The smartcard has a card identifier, a running 
Smartcard. the safe distribution of cards to n<w>rs and thf* voiim 



smartcard, the safe distribution of cards to users and the 
protection of smartcards by the users are not needed 
and smartcards can even be shared by several users 
without causing any exposure. 

SUMMARY OF THE INVENTION 

The present invention is a new smartcard-based au- 
thentication protocol. One main feature of this protocol 
is that security of the smartcard and the human user are 
not tied together. This property is obtained by using the 25 
smartcard not as a representative of the user's identity 
but only as a means to provide a cryptographically 
secure channel between the user and the remote authen- 
tication station. These goals lead to a design of a new 
authentication protocol with the following advantages. 30 

The protocol is suitable for existing computing envi- 
ronments consisting of simple work stations with no 
special security device like protected smartcard readers. 

The protocol requirements are minimal by avoiding 
public key cryptography and expensive card features. 35 

The protocol is secure against possible attacks. 

The smartcard is not personalized, Le., it is not associ- 
ated with a particular user. This property implies sev- 
eral advantages. First, there is no adniinistration cost; 
the smartcard does not need to be registered under a 40 
user's name, or sent to a particular user with safe courier. 
Smartcards can be freely purchased over the counter 
with no special registration procedure and subsequently 
shared or exchanged. Second, potential masquerading is 
prevented; since a smartcard, by itself, does not repre- 
sent any user, its theft carries no danger. In other words, 
a stolen smartcard can not be misused in any way to 
obtain the rights of any of its past or future users. Third, 
there is no PIN storage on the card; the user's secret 



value device (e.g. a clock), input and/or output means, 
and encrypting means with a secret card keyifonen-^ 
cryptingithersmaftcard, the user names, user PINs, one 
or more secret keys and, preferably, card identifiers. In 
20 brief, the following method is performed. 

a. The smartcard indicates the card rurming value and 
computes^aTcard "encryp tionTof :this: indicated run- 
ning value und er its secr et card keyT ° 

b. the wprKtation receives the-user-name, the card 
identifier, the card rurining value, and a user au- 
thenticator computed from the user's personal 
identifier and the card encryption, 

c. the worlCs^UOTi^r^inlte-to^ the user 
name] the:card:rumnng^alue,~thercard-identifier, 
and an-encryption;o£rae;card:rurin^ 
the user authenticator, 

dl. the server determines a potential secret card key 
from the received card identifier and a potential 
personal identifier from the received user name, 
d2. the server now computes a potential encryption 
of the received running value under the potential 
secret card key, and, combining the potential per- 
sonal identifier and the computed encryption, ob- 
tains a potential user authenticator, 
d3. thej^eryer-th^^cclnp 
of the recei ved^arri rnrining^value undefthe poten- 
tia>user:authenticator:an^ to 
the received encryption value of the card running 
value under the user's authenticator, 
e. if a match of the potential encryption value with 
the received encryption value is determined, the 
server transmits an accept signal to the work sta- 
tion concerned. 
Details are disclosed in the following description of a 



45 



c,,, ~~ —~ «~ ~> ***** *~~* » i-r^taiia <uc uduuwu m uie iouowing description oi a 

does not need to be stored on the card. This eliminates 50 preferred embodiment of a method and a system ac- 



the need for entering, updating and storing user specific 
secrets, e.g. passwords, PINs, biometric patterns, on the 
smartcard. This feature leads to a low-cost design. 

The srnartcard's secret key is not stored in the AS. 
This property offers the advantage of a minimum key 55 
management requirement. The AS has to keep only one 
key to be able to retrieve all the smartcard keys. The 
management of the smartcard keys has therefore a niini- 
mal complexity. The key storage in the AS is indepen- 



l y- — -~j w -~"-»-o *** ■ »w w auwtywu- X X\J . UAUaU%»lC9 I lie 

dent of the existing card population; addition, update, 60 tion in a time diagram. 



cording to the invention in connection with the ap- 
pended drawings. 

BRIEF DESCRIPTION OF THE DRAWINGS 

FIG. 1 depicts a basic scheme for a system imple- 
menting the invention. 

FIG. 2 shows a smartcard with an internal clock as 
used with the invention. 
FIG. 3 illustrates the method according to the inven- 



o r-r ~— > 

revocation of smartcards and/or their keys have no 
effect on the AS. 

The s mar tca r d protocol described above achieves the 
above mentioned goals with minimum requirements for 
smartcard and protocol features. No hardware modifi- 
cations to existing terminal or work station equipment 
seems necessary, i.e. no card readers or physical cou- 
pling on the work station, if so desired. Also, the design 



65 



FIG. 4 depicts a first method of composing a user 
authenticator. 

FIG. 5 depicts a second method of composing a user 
authenticator. 

DESCRIPTION 

FIG. 1 shows a very general scheme for an imple- 
mentation of the invention. A user 1 with his/her smart- 
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card 2 enters a system that includes a number of public The goals of the method here implemented are two- 
work stations 3 connected to an authentication server or fold. First, the method must provide mutual authentica- 
AS 4 via one of said work stations 3. tion of the AS and the user. (Workstation authentication 

An example for a smartcard 2 is shown in FIG. 2, is not taken into account here, but a basic protocol can 

which depicts a card with a built-in internal clock. The 5 be easily extended to provide it.) Second, the method 

following smartcard features are significant. must provide for delegation of the user's identity to the 

No card-user relationship: smartcard 2 is completely work station for a limited duration, 

decoupled from the user. It has no PIN or password The protocol implementing the method according to 

checking capabilities and acts only as a means for pro- the invention consists of the following steps which are 

viding a secure channel between the user and the AS. A 10 depicted in FIG. 3. 

card can be purchased over the counter in a retail shop. STEP 1 
There is no buyer registration required and users are 

free to resell, exchange, discard or lend the card to User 1 begins by activating or turning on smartcard 2 

anyone. using sequence button 5 (FIG. 2) on the card. The card 

No key-pad: since the user enters no data into smart- 15 immediately computes and displays, either sequentially 

card 2, it has no key-pad but only a button 5, a sequence or simultaneously, two values to the user: 

button, to control the sequencing of subsequent displays TIME, which is the current time, 

(see below) by the card within a single authentication Nc=E(Kc,TIME), i.e. an encryption of the current 



time under Kc, the secret key of the card. Throughout 
No galvanic connection: smartcard 2 has no galvanic 20 ^ rest of this section this vdue » referred to as Nc. 
connection. No card reader is thus required. Although time is predictable or easily guessed, its en- 

Display: smartcard 2 has a display 6, preferably an ^ryption under a strong secret key is random and unpre- 
LCD display dictable. Furthermore, as a clock doesn't run back- 

Clock: smartcard 2 has a built-in clock. The clock „ war *' Nc f ^^f d t0 * unique. Hence, Nc can be 
does not necessarily have a dedicated display. The run- 25 considered a stron ^ nonce « 
ning value is displayed (and the display is active) only STEP 2 

when the card is on. The clock does not need to be -~ r Al _ - « . 

particularly precise; second precision is sufficient for ^J** SUPpLeS the followm S values to the work 
reasons explained below s ^ 

onJ^v T£ C 'T fr?^ ^ 2 m #ments a TIME: Current time taken from the card's display 
^ f' g " h T^ 00 ™f a r Tet K * user's authenticate^ preferably computed as: 

key However, if a encrypdon-de^tion algorithm is K u=Nc-PINu, where PINu is the user's PIN. The 
used as a one-way function, smartcard 2 does not need ^ in this step is that it is fairly easy for 

to incorporate the entire algorithm, encryption alone is 35 ^ mCT impute the difference between Nc and 

c 1Cie i!* J} „ _ -r PINu. Moreover* it is not necessarily an arithmetic 

Smartcard's secret: every smartcard ^SSB^.a differ ^ the ^ has t0 compute. For each digit 

jsecret, Kc, which is computed as Kc=E(Kas, SNc) of Nc it ^ mcQS t0 enter the between ^ 

where SNc is the unique serial number 7 of smartcard 2 particular ^ md & t corresponding digit of the PIN. 

and Kas is a card key generation key, a secret key 40 Ku is a one _ timfi crede ntial that delegatesThe identityof 

known only to the AS. At the time of manufacture, each ±c ^ t0 ^ work station ^ prN 

card is assigned a umque SNc and a corresponding Kc. to the work station . ^ work station ^ use Ku tQ act 

mile Kc is a secret value, SNc is not. For example, on behalf of ^ meT 5 d ^ ^ amhentic ation 

SNc may be etched onto every card, not unlike other session, for instance, as a key encryption key to get 

serial numbers on other electronic merchandise, as 45 pa ir-wise keys from AS 4 to communicate with other 

shown in FIG. 2. Even the means for generation of systems. The validity of Ku is limited in time, because it 

SNc s is not necessarily kept secret; it may simply be a is computed as a secret function of the current time 

monotonous increasing 32-bit (ten-digit) number. va ] ue . The lifetime of Ku can be defined as (TIME+- 

Every legitimate user is identified by a combination lifetime) or included as an explicit value in the expres- 
of, first, a unique user (or log-in) name and, second, a 50 sion of Ku. 
password or a PIN. A password may be an alphanu- 
meric string of, say, eight characters, while a PIN is STEP 3 
generally a numeric string (Le., a decimal number) of at Now work station 3 sends to AS 4: 
most five-six digits in length. For clarity's sake, the term u, SNc, TIME: All unmodified from previous step 2. 
PIN is used hereafter to mean both password and PIN 55 Kp=E(Ku,TIME) : Encryption of TIME under Ku. 
in their traditional sense. Here, it is assumed that Ku forms a valid encryption 

Every AS 4 is responsible for keeping the records of key. By sending this value, work station 3 proves to AS 

its constituent users. A user's record includes, among 4 that it was granted a valid one-time credential by user 

other things, the name and the PIN of the user. For 1, Le. Ku, without disclosing the value of the latter, 

further refinement, the AS 4 may know only a one-way 60 The AS uses the received SNc and Kas to compute a 

function of the PIN similar to the way some modern potential Kc, named Kc'. Next, it computes a potential 

operating systems store only a one-way function of the Nc'=E(Kc\TIME), using the TIME received from 

users' passwords. However, for simplicity's sake, it is work station 3. Using U, AS looks up a potential per- 

assumed that the PIN itself is stored by the AS 4. The sonal identifier PINu' and obtains a potential user au- 

only information that AS 4 has to know about all smart- 65 thenticator Ku' =Nc'— PINu'. 

cards is the card key generation key, Kas. AS 4 does not Then, the AS recomputes a potential encryption 

keep track of the identities or secrets of individual Np'=E(Ku\TIME) and compares it with its counter- 

smartcards. part Np supplied by the work station in previous step 2. 
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If there is a match AS 4 replies to work station 3 with an Of these three operations, only the first two are labor- 
accept signal. intensive; the third is strictly optional In the first opera- 
The above steps 1 through 3 define the core of the tion, SNc is read directly from the smartcard as a deci- 
invention. The reply by AS 4 to public work station 3 mal number of, say, 10 digits. The time can also be 
may have different forms. A preferred example is given 5 entered directly as a decimal number (e g 12-35 02) 
below, including steps 4 through 6. Alternatively, the work station can be programmed to 
STEP 4 display its own time (which is assumed to be fairly close 

to the time kept by the smartcard) and the user can 

£t T ^^^ kS ^ n3 ^^ , rr mo ^ the displayed value to match the one shown by 
E(Ku,f(TIME)) : Encryption of ffTIME) under Ku 10 the smartcard. 

whereby the function f is a simple arithmetic function, The heaviest burden placed on the human user is the 

eg., one^complement. composition of Ku. In the remainder of this section, the 

E(Kc,f(TIME)) : Encryption of f(TTME) under Kc. techniques for easing this task will be discussed 

In this step, AS 4 is simultaneously assured of the In the protocol description above, Nc is assumed to 

freshness and the authenticity of the message it re- 15 be an 8-byte number that can be represented by 20 deci- 

ceived. The authentication of both the smartcard and mal digits. Assuming that the PIN is a 6-digit decimal 

the user is attained by recomputing E(Ku,TTME). This number, the user can obtain Ku in two alternative ways. 

is because Ku is uniquely dependent on SNc, Nc and (Of course, there are many other variations possible as 

PINu. Freshness is confirmed as a part of the same well.) 

sequence of checks since Nc depends on a particular 20 The user subtracts digit-by-digit his PIN from the 
TIME value. Furthermore, the clear text TIME field first six digits of Nc. For example, the first six digits of 
can be validated before any other checks are made. Nc can be displayed foghlighted in order to ease visual 
(One may recall that loose time synchronization be- operations. Ku is then entered by the user to the work 
tween smartcards 2 and authorization servers 4 is as- station as the six decimal digits resulting from the sub- 
sumed, i.e. there is a maximum time skew.) 25 traction followed by the fourteen retriaining digits of 
STEP 5 Nc ' FIG * 4 S* ves m exa niple for composing Ku in that 
■ , . way. Of course, this method reonires the ability to per- 
The work station optionally verifies E(Ku,f(TIME)) form subtraction of six decimal digits digit-by-digit 
and displays E(Kc,f(TIME)) on the screen. This step (modulo 10). Part A of Ku in FIG. 4 is obtained from 
assures the work station that someone, presumably AS 30 the first six digits of Nc; part B of Ku is simply copied 
4, possesses Ku. as the last fourteen digits of Nc. 

STEP 6 There may be reasons one may want to avoid even 

such a simple subtraction of two single-digit numbers. 
In order to perform his own verification of AS 4, the In that case, the goal is to prevent a user from writing 
user pushes the smartcard's sequence button 5 and reads 35 things down on a piece of paper or using a work station- 
the authentication value expected from the AS, E(Kc,f- provided calculator. 

(TIME)), on smartcard display 6 and performs a visual One simple solution to this problem is to have each 
comparison of this value with the corresponding value work station display on its screen (or attached to it 
sent by AS 4 and displayed by work station 3, (cf previ- physically) a simple 10-by-10 table of single-digit deci- 
ous step). 40 mal numbers and their differences (e.g. row 9, column 6 

If the two values match, the authentication is com- will display 3) . 
pleted. The goal of this comparison is to assure user 1 Alternatively, as shown in FIG. 5, the display area of 
that he/she has, in fact, been communicating with AS 4, the smartcard can be labelled so that each digit of Nc is 
smce no one but AS 4 and smartcard 2 at hand can associated with a fixed number (index) carved on the 
compute E(Kc,fCITME)). 45 plastic or printed on the LCD. The first ten digits of Nc 

It is important to clarify the meaning of the last step. are thus numbered from 0 to 9. Using each digit of his 
Most (if not all) existing smartcard-based authentication PIN as an index, the user reads the Nc digit displayed 
protocols only provide for the authentication user-to- below the label corresponding to the value of the PIN 
AS, but not AS-to-user. The protocol above provides digit Each PIN digit thus points to an Nc digit that is 
for bidirectional authentication. However, if AS-to-user 50 entered to the work station to form the first six digits of 
authentication is not desired, user 1 is free to forego the Ku. The remaining ten digits of Ku are copied directly 
last step entirely. as the last ten digits of Nc. In FIG. 5, part C of Ku is 

Finally, user 1 may turn smartcard 2 off by pushing obtained from the first ten digits of Nc and part D of Ku 
sequence button 5 the last time for this session. is copied as the last ten digits of Nc. The advantage of 

The whole protocol is illustrated pictorially in FIG. 55 this scheme is that no arithmetic is required from the 
3- user. 

USABILITY CONCERNS The resultm 8 Ku » onl y sixteen digits which reduces 

its width to 56 bits, from Nc*s 64 bits. However, the 
The mam usability concern in the above scheme has Data Encryption Standard (DBS) specifies 56-bit en- 
to do with the interaction complexity of the authentica- 60 cryption keys 
tion protocol, Le., the number of operations imposed on 

the human user. These operations include: ANALYSIS 
Entering SNc and TIME into the work station. In this section, the protocol presented above shall be 

Composing Ku from PIN and Nc and entering Ku . analyzed. The following assumptions are made: 

into the work statioa 65 Every smartcard's secret, Kc, is a strong key. The 

(Optional) visual comparison of E(Kc,f(TIME)) dis- derivation of Kc from Kas can be designed to be as 

played by the work station and its counterpart dis- strong as required by a particular application because 

played by the smartcard. there is no limit on the complexity of this operation that 
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is performed only by the AS as opposed to other opera- 
tions that are also performed by the smartcard. 

The smartcard is trusted to faithfully display appro- 
priate values. 

It is difficult to subvert the smartcard 's hardware and 
obtain the secret (Kc) or otherwise manipulate the card, 
e.g. set back the clock. 

The smartcard clock or other running value device is 
assumed to be monotonous increasing. 

The smartcard can be stolen. 

Any public work station can be taken over by a hos- 
tile party. All communication involving a work station 
is subject to interception and divulgement and the work 
station may contain trojan horse programs that disclose 
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The case of a shared smartcard must also be consid- 
ered. If two users, A and B, share the same smartcard, 
the issue is whether it is possible for one of them, say A, 
to discover the other's, say B's, PIN. It is fair to assume 
that user A could subvert a public work station and 
discover B's Ku. Then, in order to extract user B's PIN, 
user A will need to obtain the same Nc as was used to 
compute B's Ku. A cannot obtain it by manipulating the 
smartcard after the fact since Nc values are time- 
dependent. Hence, the only viable method of attack is 
to look over the shoulder and record Nc the "hard 
way". However, this is an issue in any method, e.g. also 
in current non-smartcard techniques. 
While the invention has been shown and described 
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all the information entered by the user into the work 15 with reference to a preferred embodiment, variations 
station or sent by the AS. 

A bona fide registered user may turn malicious — his 
purpose may be to discover other users'secrets, e.g. by 
letting them use his smartcard. 

The main purpose of this analysis is show that the 20 
protocol achieves three goals. Goal one is that the AS 
believes that it is talking to a particular user U at a 
particular time T through a particular smartcard C. 
More formally, this can be stated as follows. AS be- 
lieves that U recently generated Ku using C. Applying 
the above assumption that, only U and the AS know 
PINu and no two smartcards share the same key, only C 
can generate Nc=E(Kc,T) and, hence, only U can 
compute Ku=Nc— PINu. 

Goal two is that the user U believes that he/she is 
talking to AS at time T. Again, more formally, this can 
be stated as follows. U believes that AS recently gener- 
ated E(Kc,f(T)). Assuming that f is one-to-one, e.g. 
one's complement, f(T) does not form a valid time 
stamp. Therefore, E(Kc,f(T)) could not have been genr 
erated by C in the past. Using the assumption that only 
the AS and C know Kc, U is assured that AS's commu- 
nication is authentic and timely. 

There is, however, a small caveat. Since the smart- 40 
card has no knowledge of its immediate user, its chal- 
lenge value, E(Kc,f(T)), can not be dependent on the 
user; neither can the AS's response to that challenge. 
Therefore, if two well-meaning (and even mutually 
trusting) users decide to save time by activating the 45 
smartcard only once for both log-ins, the second part of 
the message returned by the AS (E(Kc,f(T))) will be 
identical in both cases. This implies that a malicious 
work station can mislead one of the two users into be- 
lieving that he/she is talking to the AS. 

The third important goal is that PINu should not be 
discoverable by an intruder. The user enters PINu indi- 
rectly in step 2 of the protocol. Since Ku is the only 
value dependent on the PIN in the entire protocol, the 
only venue for obtaining the PIN is from Ku. This is 55 
reasonable, since one of the assumptions is that a work 
station may turn malicious and try to misuse Ku. How- 
ever, in order to extract the PIN from Ku, the knowl- 
edge of Nc is required; one may recall that Ku=Nc- 
— PINu. But, Nc is known only to the AS, the smart- 60 
card, and the user. 

One of the principal assumptions is that the smartcard 
clock never runs backward. It guarantees that Nc are 



and modifications can be made without departing from 
the spirit and scope of the invention as laid down in the 
following claims. 
We claim: 

1. A method for authenticating a user with a smart- 
card to a system including an authentication server and 
a plurality of distributed work stations connected to 
said server, said smartcard having a unique card identi- 
25 fier and including a running value device, input-output 
means, and encrypting means with a secret card key, 
said server having stored user names, user personal 
identifiers, at least one secret key, and card identifiers, 
said method comprising the following steps: 

(1) indicating with a smartcard a card running value 
and computing with the smartcard a first encryp- 
tion of the card running value under a the secret 
card key; 

(2) receiving at a work station a user name, a card 
identifier, the card running value, and a user au- 
thenticator computed from a user's personal identi- 
fier and the first encryption; 

(3) transmitting from the work station to the server 
the user name, the card running value, the card 
identifier, and a second encryption of the card 
running value under the user authenticator; 

(4) deternaining with the server a potential secret card 
key from the received card identifier and a poten- 
tial personal identifier from the received user name; 

(5) computing with the server a first potential encryp- 
tion of the received card running value under the 
potential secret card key, and, combining the po- 
tential personal identifier and the computed first 
potential encryption to obtain a potential user au- 
thenticator; 

(6) computing with the server a second potential 
encryption of the received card running value 
under the potential user authenticator, and compar- 
ing the second potential encryption to the received 
second encryption; and 

(7) determining if the second potential encryption 
matches the received second encryption, and trans- 
mitting an accept signal from the server to the 
work station if a match is determined. 

2. The method according to claim 1, further compris- 
ing deriving the secret card key of the smartcard from 
the card identifier by encrypting the card identifier with 
a server secret key, storing at the server user names, 



50 



never "recycled", i.e. every Nc is unique and unpredict- 
able. Therefore, although a work station may accumu- 65 user personal identifiers, and said server secret key, and 
late a number of Ku values for the same user or many detennining at the server the potential secret card key 
different users, it is not able to extract a single PIN, from the received card identifier and the server secret 
since in all Ku values, a PIN is masked by a nonce. key. 
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3. The method according to claim 1, wherein the 
smartcard data resulting from said indicating step (1) is 
electrically entered into the work station. 

4. The method according to claim 1, wherein the 
smartcard data resulting from said indicating step (1) is 
optically entered into the work station. 

5. The method according to claim 1, wherein the 
smartcard data resulting from said indicating step (1) is 
manually entered into the work station. 

6. The method according to claim 1, wherein the 
smartcard must be activated to indicate a running value. 

7. The method according to claim 1, further compris- 
ing validating with the server the received card running 
value, comparing the received card running value to the 
server's internal running value, and, if the difference 15 
exceeds a predetermined size, discontinuing processing. 

8. The method according to claim 1, further compris- 
ing validating with the server the received card running 
value, comparing the received card rurining value to the 
server's internal running value, and, if the difference 20 
exceeds a predetermined size, transmitting a message to 
the work station. 

9. The method according to claim 1, further compris- 
ing that if a match of the second potential encryption 
with the received second encryption is determined, 25 clock. 
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said server means having 
at least one memory storing user names, user per- 
sonal identifiers, at least one secret key, and pref- 
erably, card identifiers, 
means for determining a potential secret card key 
from the received card identifier and a potential 
personal identifier from the received user name, 
means for computing a first potential encryption of 
the received card running value under the poten- 
tial secret card key, 
means for obtaining a potential user authenticator 
from the potential personal identifier and the 
computed first potential encryption, 
means for computing a second potential encryption 
of the received card running value under the 
potential user authenticator, 
means for comparing the second potential encryp- 
tion with the received second encryption, 
means for transmitting a signal to the work station, 
which is an accept signal if the second potential 
encryption matches the received second encryp- 
tion, and which is a non-accept signal otherwise. 
14. The system of claim 13, wherein the running 
value device in the smartcard is a continuously running 



30 



35 



40 



computing with the server a third encryption of a func- 
tion of the received running value under the received 
user authenticator, and transmitting the third encryp- 
tion to the work station. 

10. The method according to claim 9, further com- 
prising the step of displaying to the user the third en- 
cryption value transmitted by the server to the work 
station. 

11. The method according to claim 1, further com- 
prising that if a match of the second potential encryp- 
tion with the received second encryption is determined, 
computing with the server a third encryption of a func- 
tion of the received running value under the secret card 
key, and transmitting the third encryption to the work 
station. 

12. The method according to claim 11, further com- 
prising the step of displaying to the user the third en- 
cryption value transmitted by the server to the work 
station. 

13. A system for authenticating a user with a smart- 45 
card, said system including authentication server means 
and a plurality of distributed work stations connected to 
said server means, comprising: 

said smartcard having 
a card identifier, 

a running value device for indicating a card run- 
ning value, 
input-output means, and 

encrypting means with a secret card key for com- 
puting a first encryption of the indicated , card 
running value under the secret card key, 
each said work station having 

input means for receiving the user name the card 
identifier, the card running value, and a user 
authenticator computed from the user's personal 
identifier and the first encryption, . 

means for encrypting the card running value under 
the user authenticator, 

means connectable to said server for transmitting 
to the server the user name, the card running 
value, the card identifier, and a second encryp- 
tion of the card running value under the user 
authenticator, 
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15. A method for authenticating a user with a smart- 
card to a system including an authentication server and 
at least one distributed work station connected to said 
server, said smartcard having a unique card identifier 
and including means for generating a running value, 
input-output means, and encrypting means with a secret 
card key, said server having stored user names, user 
personal identifiers, at least one secret key, and card 
identifiers, said method comprising the following steps: 

(1) generating a card running value with the running 
value generating means and computing with the 
smartcard a first encryption of the card running 
value under a secret card key; 

(2) receiving at a work station a user name, a card 
identifier, the card running value, and a user au- 
thenticator computed from a user's persona] identi- 
fier and the first encryption; 

(3) transmitting from the work station to the server 
the user name, the card running value, the card 
identifier, and a second encryption of the card 
running value under the user authenticator; 

(4) detennining a potential secret card key from the 
received card identifier and a potential personal 
identifier from the received user name; 

(5) computing a first potential encryption of the re- 
ceived card running value under the potential se- 
cret card key, and, combining the potential per- 
sonal identifier and the computed first potential 
encryption to obtain a potential user authenticator; 

(6) computing a second potential encryption of the 
received card running value under die potential 
user authenticator, and comparing the second po- 
tential encryption to the received second encryp- 
tion; and 

(7) determining if the second potential encryption 
matches the received second encryption, and trans- 
mitting an accept signal from the server to the 
work station if a match is determined. 

16. The method according to claim 15, wherein steps 
4, 5, and 6 are performed at the server. 

17. The method according to claim 15, wherein steps 
4, 5, and 6 are performed at a station within a computer- 
ized system. 
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18. A system for authenticating a user with a smart- 
card to an authentication server and a plurality of dis- 
tributed work stations connected to said server, com- 
prising: 

(1) means for indicating with a smartcard a card run- 5 
ning value and computing with the smartcard a 
first encryption of the card running value under a 
secret card key; 

(2) means for receiving at a work station a user name, iq 
a card identifier, the card running value, and a user 
authenticator computed from a user's personal 
identifier and the first encryption; 

(3) means for transmitting from the work station to 
the server a user name, the card running value, the 15 
card identifier, and a second encryption of the card 
running value under the user authenticator; 

(4) means for detennining with the server a potential 
secret card key from the received card identifier 2Q 
and a potential personal identifier from the re- 
ceived user name; 

(5) means for computing with the server a first poten- 
tial encryption of the received card running value 
under the potential secret card key, and, combining 25 
the potential personal identifier and the computed 
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first potential encryption to obtain a potential user 
authenticator; 

(6) means for computing with the server a second 
potential encryption of the received card running 
value under the potential user authenticator, and 
comparing the second potential encryption to the 
received second encryption; and 

(7) means for determining if the second potential 
encryption matches the received second encryp- 
tion, and transmitting an accept signal from the 
server to the work station if a match is determined. 

19. The system according to claim 18, wherein the 
smartcard comprises: 

means for associating a unique card identifier with the 

smartcard, 
means for generating a running value, 
input-output means, and 

encryption means connectable to said running value 
generating means. 

20. The smartcard of claim 19, further comprising: 

(1) means for activating input to the smartcard, and 

(2) means for displaying output of the smartcard. 

21. The smartcard of claim 19, further comprising 
data transfer means for communicating the card data to 
an external device. 

***** 
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